Various suggestions to make AdwCleaner even better

Recommended Posts

I got a whole bunch of different suggestions today, but the majority of them individually they should not take too much time to implement if done so one-by-one. Some of them will understandably take a lot more time to develop.

[Quality of Life] Block the various Anti-AdBlocker things on websites. You can check uBlock Extra and Nano Defender on the Chrome Web Store for more information. Credit the authors of these Chrome extensions in a Special Thanks tab.

[Quality of Life] Partner up with STANDS to reroute navigation to/from advertising sites (via proxy edits to the HOSTS file, or something) through the same service which powers their Fair AdBlocker. Can also help with Windows 10 and Skype advertisements outside of browsers. Be sure to credit them in the Special Thanks tab.

[Prevention] Hire the guy who made Unchecky, and incorporate it into AdwCleaner to reduce the risk of accidental installation of Adware (extra checkboxes in installers will be unchecked by default, and rechecking them will display a warning notification.) Credit him and link to his website as well, on the Special Thanks tab.

[Optimization] Get in touch with the guy who made CleanMem and incorporate it into AdwCleaner, since Adware can use up considerable memory at times. CleanMem also improves system memory usage in general by effectively acting as garbage collection. As before, credit the author and link to his website on the Special Thanks tab.

[Cleanup] Automatically audit any registry changes made by installers when they run (as well as taking before/after snapshots), as this can significantly help in cleaning up any Registry Debris when removing Adware. (My own special thanks to Bitsum for introducing me to the term Registry Debris; the term 'garbage data' is just lame in comparison.)

[User Guides] Link to the Dark Patterns website and Twitter in the Special Thanks section: By educating users so they can recognize the shady tactics frequently used by many Adware developers, you can further reduce the risk of getting infected and help to slow the proliferation of Adware. An ounce of prevention is worth a pound of cure.

[Optimization] Use Large Memory Pages, and make the program and driver fully PAE-aware (along with other optimizations for large address spaces). This has the potential to significantly optimize the CPU usage of the application as page writes can be significantly reduced, and even in 32-bit mode the program will be able to access additional physical memory that it otherwise couldn't due to being integrated so tightly with the driver. This also helps to improve stability by making it less difficult to avoid bad RAM sectors through smart allocation (Memtest86+ can output a config file identifying these bad sectors).

[Detection] Embed de-obfuscation routines into Registry and Filesystem searching to help decode things such as XOR/ROT loops, Base64 (with or without modified alphabets), manual linguistics encoding (Smoldering Tongue for example, which I'll explain elsewhere), uncommon ASCII codepages, and so on

[Compatibility] Compile the program using the portable .NET Core Runtime to minimize its dependence on external libraries, especially on earlier versions of Windows. This would also have the side benefit of making the program easier to port over to other platforms in the future (and it is worth noting that the Malwarebytes Support Tool would also benefit from this). Who knows, it may even allow archaic operating systems like Windows 2000 to benefit from a small sampling of the latest .NET runtime features.

[Aesthetic] Display a splashscreen while opening the program, so that it doesn't feel like it is just doing nothing when the user is waiting for the GUI to appear... Which admittedly should not take very long anyway.

[Prevention] Automatically scan freshly downloaded installers and self-extracting archives with VirusTotal and the online OPSWAT API, and notify the user of the results. If Adware or signs of a trojan are detected within a packed installer, then attempt to sanitize the installer if at all possible.

[Prevention] Sandbox installers when they run and virtualize any changes they make to the registry, scrubbing them to remove malicious registry alterations before committing the changes

[Remediation] When an installer runs, cache all of the changes that it makes to the Filesystem in order to aid in future cleanup (a feature roughly based on the Ransomware Rollback feature in the MBAM Business line). Also use Sandboxing to Audit and Redirect any attempts by an installer to alter a protected file or folder.

[Accessibility] Use GDIPP in the GUI, or better yet, get in touch with Daniel Georgiev at IrisTech for his FontFocus renderer. On top of significantly improving the appearance and readability of rendered text, this also allows linking multiple fonts together to provide enhanced support for displaying multilingual text

[Accessibility] Implement the Dyslexie typeface, to make everything easier to read for dyslexic individuals.This one might actually be a bit tricky because of licensing costs.

[Accessibility] Make the GUI more colorblindness-friendly and DPI aware.

[Accessibility] Make the GUI easier to interact with when only using a Keyboard

[Optimization] For the .ICO file used by the program, use a Progressive PNG graphic (optimized with pngquant followed by pnggauntlet) instead of a raw bitmap (as Windows supported PNG-based ICO files since Vista). This can potentially make the file significantly smaller, and allow a low resolution preview to display immediately while the full icon is still loading, instead of just seeing a blank placeholder. Also use the driver to force NTFS compression on the .ICO file

[Forensics] Use an XML-derived file format (XML + HTML5 + SVG) for storing scan logs; the logs are still primarily XML, but can be viewed as offline webpages. Each detected item is marked by two SVG-based Identicons, one Blocky and one Abstract, for easy identification. All relevant data is organized relationally, and also color-coded to indicate various aspects.

[User Guides] A binary-compiled version of this same XML/HTML5/SVG hybrid format would allow for an Offline version of the Help Resources to be built-in to the program, along with extra features such as providing limited interactivity to help demonstrate things to the user, and the ability to update the documentation automatically to keep up with new information

[Optimization] Automatically pack the scan logs into a ZIP archive, and also automatically perform NTFS compression on the AdwCleaner folder itself

[Forensics] If using Windows 10, include an option to automatically transfer the logs to to the system's OneDrive Folder, with Symbolic Links left in the former location of the original file. Logs could also be automatically uploaded to the Malwarebytes servers for analysis, especially helpful if they contain Debug information as well

[Optimization] Pack the executable using PECompact, provided by Bitsum. Not only can it significantly reduce the size of the executable for portability, it can also protect it from reverse-engineering without the program being marked as suspicious by other Anti-Virus vendors (as PECompact is specifically designed to work with Anti-Malware providers). If necessary, you could modify the built-in unpacker to only unpack portions of the program as needed as a means to conserve working memory. It also lets you customize different codecs for compression.

[Optimization] Compile native x86, x64, IA-64 and ARM64 versions of the program, with a single installer that detects your current hardware and installs the correct version, and utilize a compiler with OpenMP/OpenACC support to squeeze every last ounce of additional performance out of the program.

[Quality of Life] Use an Online-enabled, Offline-capable installer, giving you the benefits of Offline Installation while also having the ability to receive the most recent updates before you even begin the installation process. The installer executable could itself also function as a portable version of the program, no installation required.

[Quality of Life] Update packages should be able to download in the background and later be installed at a moment's notice, even when offline. There can also be the ability to share update packages over a Peer-to-Peer LAN.

[Quality of Life] Abuse the Task Scheduler to prevent annoying UAC prompts every time the user tries to launch the program, including automatic tweaks to the various shortcuts on the Taskbar, in the Start Menu and Quick Launch, and on the desktop. (You can abuse the task scheduler to do other useful things too, but nothing comes to mind at the moment.)

[Optimization] Scan files and folders on NTFS partitions in the order in which they would appear in the filesystem, to speed up scans on mechanical drives by minimizing head seeking.

[Availability] Make AdwCleaner available on the Windows Store and the Software section of the Steam store, to make the program accessible to as many people as possible. Maybe include a donation link in the program itself, along with links to the main Malwarebytes website, the blog, the forums, and other such stuff.

[Remediation] Create an AdwCleaner version of the Chameleon self-protection driver.

[Optimization] Enable scanning of multiple physical drives simultaneously, performing different types of heuristics in parallel, and even optimizing some drives or checking them for errors while others are still being scanned.

[Compatibility] Use legacy instructions such as MMX, 3DNow! and the original SSE on older systems where SSE2 instructions are not available. Performance and accuracy will understandably suffer, but it is better than not having the program at all.

[Quality of Life] Include a tab where you can see the current program version, third-party licensing information, the currently running executable's hash and file location, whether you're running portable or Installed, which architecture you are running it on, and lastly a detailed overview of your hardware and OS installation, providing the same information that you would get out of CPU-Z and GPU-Z.

[Optimization] If the execution threads for the application begin to hang or stall, such as if they are waiting on something, temporarily lower their Thread Priority and change their Core Affinity (also disable Core Parking when this occurs). Credit once again goes to Bitsum for this, look into Process Lasso for more information.

Share this post

Link to post

Share on other sites

Probably can't do that; what if they're using some other antivirus/anti-malware software that conflicts with it and has deliberately disabled it?

Adblock Plus and other ad blockers already have this capability, and there are plenty of free third party extensions and lists that provide this functionality; also, since ADWCleaner is a remediation-only tool, not a protection/prevention product, it wouldn't make much sense for it, at least in my opinion

Again, outside the purview of ADWCleaner; it's just a remediation tool, nothing more

This might be a good idea, but not for ADWCleaner (refer to 2 and 3 above) so maybe for Malwarebytes?

Modern systems very seldom (if ever) run low enough on RAM to ever page anything to disk/the paging file, and contrary to what some may believe, unused memory is wasted memory. Please refer to this article, this article, this article, this article, and this article. In a nutshell, when people complain about apps consuming too much RAM (especially when they still have several GB free/not in use by anything at all) it only reveals how little they understand computers and software.

Again, please refer to 2, 3 and 4 above; besides, ADWCleaner strictly uses signatures and heuristics for detections so any behavior monitoring would serve no purpose for it, though this sort of thing could be useful for a rollback tool (such as the one included with some of Malwarebytes' business products, however it already has this functionality as I understand it)

While this is true, that's really the purpose of Malwarebytes Premium and promoting some unknown third party resource in an official Malwarebytes product isn't going to happen I'm pretty sure.

Why? It's a remediation scanner. There's nothing wrong with performance optimizations like multi-threading etc., but you can only optimize the code so much before you reach the point of seriously diminishing returns, and going this far would not only dramatically increase the risk of conflicts and instability, but would be a serious sinkhole of dev effort that likely wouldn't be worth it just for a scanner that as it is only takes a few minutes to run on most systems (especially since so many now have SSD's). Also, actual bad RAM is an extreme rarity these days. It used to be a lot more common years ago, but modern RAM is mass produced on such a large scale with only like 3 actual RAM chip manufacturers (Samsung, Micron and Hynix) and they're very good at what they do as they've been doing it for so long and their processes are so mature, and they do extensive testing on their modules (especially DDR4 thanks to tech like XMP for Intel boards/CPUs and the equivalent AMP profiles for AMD boards/CPUs) that arbitrarily testing a user's RAM probably wouldn't serve any real purpose. This is also a task for a diagnostics tool, not a basic PUP/adware scanner/remediation tool, again, at least in my opinion (the Techbench program would be a better place for this I think, as it is targeted specifically at PC repair techs).

Not sure that this belongs in a basic/narrow focus tool like ADWCleaner; probably more suited to Malwarebytes, and even then, only if such methods are actually being used by the bad guys, otherwise a tool like FRST or ComboFix would be a better place for this.

I don't know, but I suspect it has a pretty small set of dependencies as it is, as it's already quite portable and I believe much of its internal structure is essentially scripts, though that's based on what I know of much older versions (prior to Malwarebytes' acquisition of the tool) so that may have changed, but I think Malwarebytes being cross-platform (which it essentially is, with versions for Mac and mobile platforms already) would be the place for requests like this, especially since they've already stated that they plan to discontinue this tool eventually once its capabilities have been fully integrated into Malwarebytes (that's also a big reason not to invest too much time/effort/cost in developing new major features for it etc.)

50/50 on this one. Every program that has a splash screen gets complaints about/requests from users to disable/remove it because they think it wastes resources that could better be used to get the program loaded faster. I don't care much either way, though I'm not really the biggest fan of them either as I see little use in them (and I can always check Task Manager to determine if a program is running/loading etc. anyway if I really want to).

Again, protection/prevention is beyond the scope of this tool.

As above; not a protection/prevention tool/product.

Same as before; this tool is for one-time cleanups, not advanced prevention/diagnostics etc., and it would seriously cannibalize the business products to include such a feature in a free end user tool.

Probably not; refer to comments about the limited shelf-life of this tool/its planned integration into Malwarebytes

Don't know about colorblindness, I think it's already pretty good in this regard, but improved DPI scaling would be good for accessibility.

I could go either way on this one. While I see the advantages, it's another one of those "nice to haves" that might not be worth the effort, especially if this tool isn't going to be around much longer.

As long as they display On/Off I see little value in this.

Why?

I'm not opposed to using a PNG (actually, I think they already are, though I may be mistaken), but I'd only want these changes if they required minimum effort, again, due to the likely short-term lifespan of this tool.

This tool is relied upon by forum helpers throughout the world too frequently to switch from a basic text formatted log that can easily be copy/pasted/read on forums so I'd advise against this.

No need for auto-updating documentation since users are required to download an entirely new copy whenever a new build is published given the fact that it's a standalone and virtually portable tool.

Not sure about this one since again, forums, and many helpers like the logs just copy/pasted into replies, not zipped/attached and it's not like they take up all that much space anyway, nor is space at a premium these days given the ever dropping cost of SSD's per GB and increasing sizes available.

Nah, it's used outside Malwarebytes too much for this to be of much value. Before Malwarebytes acquired it, it was and remains a very popular tool on help forums as I mentioned previously.

See my thoughts above regarding drive space, free RAM and I'll also add that generally speaking, internet speeds are also quite fast these days and getting faster (fibre, 5G etc.)

Totally not worth it in my opinion for such a basic, fast tool that's specialized to detecting PUPs/adware on Windows (only 1 Researcher/Developer as far as I know also) and the gains would definitely not be worth the effort (hardly anyone would notice any performance boost from it, especially given its quite basic functionality which is way more disk speed limited than anything else, not CPU/architecture/memory limited), and again, a lot of work for such a short-term tool.

It doesn't install; it just extracts a few things and runs, using static storage locations for convenience more than anything, and it does work offline as it includes a full set of databases (though obviously it's always best to update when possible to get the latest/best detection capabilities).

All connections should be encrypted as I understand it. Anything beyond that would likely not be worth the effort.

What update packages? It downloads signatures, that's it, otherwise if a new version is available then the user needs to download that instead (an entirely new copy of the tool), but if they just downloaded it then they should already have the latest one. This isn't a tool designed to keep around on a system constantly; it's a portable, disposable tool to detect/remove PUPs/adware.

A security vendor exploiting/violating UAC or any other OS level security is a bad look and a poor practice. We're the good guys, not the bad guys so probably not gonna happen. And again, standalone/portable/disposable tool, not a long-term tool to keep around and run every day.

Probably counterproductive since I suspect it uses a deliberate order that tracks with certain heuristics functions and signatures built into the tool (lots of "if a=n then b" type stuff I suspect), and again, it's pretty fast as it is.

It's already pretty widely known so not much use in this, plus it probably doesn't meet MS' requirements for going up on the Windows Store nor would it be worth the efforts to make it so. Also, Malwarebytes is a company, they don't accept donations. If someone wishes to support them/their efforts financially they can purchase a license for one of the products, such as Malwarebytes Premium.

Probably not necessary, especially since any adware likely to be blocking this tool would need MBAR to detect/remove the rootkit components first anyway (SmartService Yelloader etc.) and there are ways to use Chameleon to protect other tools...

What for?

ADWCleaner is a really specialized tool primarily designed to target active/installed PUPs/adware, not a full AV scanner that needs to scan every drive/folder on the system (that's why there's no option to select where to scan).

Not useful since ADWCleaner itself is newer than the operating systems and threats the pre-date it's current supported technologies (no signatures for really old PUPs/adware); I'd recommend an old copy of Spybot S&D and/or Ad-Aware SE for such systems/threats which actually did exist back then.

?

Way beyond the scope of this tool. Some of this would be good for (and is already integrated into) Techbench.

Probably doesn't happen frequently enough for it to be worth it, but for Malwarebytes maybe (assuming those types of issues are still at all common in that product, which I don't believe they are these days).

Again, not a protection tool. hpHosts is freely available for anyone who wishes to use it, plus I'm sure many users would be upset if ADWCleaner started editing their HOSTS files/blocking sites without their consent or knowledge all of the sudden when they run it.

Share this post

Link to post

Share on other sites

37. Was something I forgot to remove. I was working on this list for hours in between other things, but some older computers don't have SSE2 capability despite running operating systems where Malwarebytes would be applicable. Sue me >.<

I did my best to try to distill the rest of the list to things that would actually be applicable. Accessibility stuff is important (and the I/O labels on toggle switches is something I see on Apple products, great for colorblind users), and I'm aware that AdwCleaner will eventually become part of Malwarebytes itself.

As for the PUA Protection in Windows Defender, it is an obscure setting most people don't know about, and any Anti-Virus solutions which would conflict with Windows Defender would already automatically disable its real-time protection anyway.

Share this post

Link to post

Share on other sites

Sorry, 38. was the one that was supposed to have the ?, not 37 (though I think you figured that out). I just wasn't familiar with what context switching was (I'm not a dev so it's outside my wheelhouse).

I see your point regarding the on/off switches, but when they literally say On and Off it's hard to argue for colorblind users, at least in my opinion, since it's literally black text on a white background. The coloring of the switch background is also a factor since it's a dark color vs a light color, so even if they are colorblind, the difference between on and off should still be quite obvious.

Regarding PUA in Defender, I'd leave that to either Microsoft themselves or some third party tool designed for locking down Windows systems, not a third party standalone remediation tool. It just doesn't seem like a feature one would expect from a tool like ADWCleaner. If it were ADWBlocker or Windows Security Lockdown tool then it would be a different story, but that's not the tool's intended purpose and would just add a feature that I don't think most users would expect or want (though I could be wrong of course).

Share this post

Link to post

Share on other sites

Oh, as for the "Scan files and folders in order to make things faster" thing, that's a feature I actually saw in the free version of AVG. The explanation it gave for how it worked is also something that only applies to mechanical hard-disks, and it also mentioned that it would only work on NTFS-formatted volumes because the program doesn't natively understand any others.

The option to scan DOS-based executables and archives is also something that was in AVG, and even though the computer that AVG was installed on was using 64-bit Windows 10, the option was still available for some reason. It's worth noting that I did not put AVG on there, it was a relative's computer and I already set her up with Malwarebytes Premium, but I was given standing orders by her to continue to check on her computer's settings for performance and stability purposes.

All of my stuff regarding third-party links/licenses and different special thanks stuff would go in its own tab or drop-down menu, that way users would not be required to see it if they didn't want to. I'm also surprised that companies don't provide the option to provide donations for folks who want to support them but don't have interest in any particular products.

Share this post

Link to post

Share on other sites

Any time Malwarebytes uses third party resources they give credit (they have to, it's required by most EULA's) so that wouldn't be an issue. The problem I have with it is linking to some web resource which not only wasn't generated by Malwarebytes, but could also change at any time or be taken down and also would better be served in some kind of online guide rather than within a product. As for integrating third party libraries etc., I'm sure they would if they ever saw a need, but it probably wouldn't be worth the effort in this case based on the purpose of the tool as I mentioned. It's really limited in scope as far as what it is and what it does, though some of these suggestions would likely be better for requests/suggestions for new products and/or resources (like something for the Techbench project or the blog or something like that).

I could certainly see the benefits of scanning multiple drives simultaneously, but again, ADWCleaner is a really specialized tool, not a flat file scanner like an AV like AVG so it doesn't even scan more than one drive in sequence, much less have a need to do so simultaneously. Besides, as it is both it and Malwarebytes pretty much max out on resources/threads just scanning files on the main OS drive, so trying to add more by scanning other disks at the same time would just bottleneck things even further (the scan engine in Malwarebytes is really tuned to leverage all available CPU cores and threads to scan as many files at the same time as possible, so even though it only shows one object/location being scanned at a time in the UI, it's actually scanning at least as many as there are available cores/threads for your CPU, which in my case means it scans literally 8 files simultaneously any time it is scanning because I have a 4 core CPU with Hyperthreading).

As for donations, as I mentioned, Malwarebytes doesn't accept them and they haven't ever since they became a corporation. Most companies don't and it likely has to do with the fact that it kinda looks bad for a company that sells products for money to have their hand out asking for donations in any of their tools/products when they already are charging for some of the services and solutions they offer. To be frank, Malwarebytes is doing pretty well and I don't think they need the donations. They appreciate the enthusiasm and support of the community and happy users who they've helped to clean up their systems of course, but their thanks is sufficient reward, and even then, not a requirement at all. They really take pride in the fact that they help make the web safer for everyone, and if someone wants to help support their efforts financially they can purchase a license (and just give it away if they have no use for it on their own devices) and if that's not sufficient or they don't have enough for a license, they can just donate the money to their favorite charity. The only profit Malwarebytes seeks from their free offerings like ADWCleaner and the free version of Malwarebytes is to promote their products and brand, positive word of mouth and of course to inform users about their paid offerings with whatever in-product messaging they have about the Premium version etc. It would be different if it was just one independent developer with little or no resources, but Malwarebytes is a multi-million dollar corporation now. They're perfectly content for users to just tell their friends about Malwarebytes' tools and products if they got some benefit out of them like using them to successfully clean up their PCs. That's more than sufficient thanks for the work they do on these free tools and they don't expect anything more than that for providing them, and of course even that is optional (though it's likely to happen anyway if a user does have a positive experience using one of their tools because that's how people are; when they have a good experience with something they tend to tell their friends about it).